Top Stories for the Week of April 25, 2018

Here are the stories we're following for the week of Wednesday April 25, 2018

Germany's supreme court has rejected a legal case that sought to stop people using the popular “Adblock Plus program” that removes ads from websites.

Germany's supreme court has rejected a legal case that sought to stop people using the popular Adblock Plus program that removes ads from websites.

The lawsuit was started three years ago by German publishing giant, Axel Springer. It alleged that the way Adblock Plus stopped people seeing advertisements on its sites amounted to unfair competition.

Axel Springer said it would continue its legal challenge by taking the issue to Germany's Constitutional Court.

The German publishing firm first complained about Adblock Plus in 2015, alleging that it broke competition laws by letting firms pay to be on a "white list" to stop their ads being blocked. It took the case to the Supreme Court after losing the first round of legal action in 2015.

Other German media firms that also launched related legal action said the simple blocking of ads was a violation of local laws designed to promote competition.

The Supreme Court disagreed with Springer's allegations and said no laws were being broken because it was up to individual users whether or not they used the software.

The creators of Adblock Plus welcomed the ruling and said in a statement that it was "excited that Germany's highest court upheld the right every internet citizen possesses to block unwanted advertising online."

After the verdict, Claas-Hendrick Soehring, Springer's head of media law, said the ruling was "an attack on the heart of the free media."

A Chinese web giant has found a “Windows zero-day,” and is keeping the details quiet while working with Microsoft on the issue.

A Chinese web giant has found a “Windows zero-day,” and is keeping the details quiet while working with Microsoft on the issue.

Chinese company Quihoo 360 says it's found a Windows zero-day in the wild, but because it has notified Microsoft, it's not telling anyone else how it works.

The company announced an “APT attack” on the unspecified zero-day “on a global scale.”

It called the vulnerability a “double kill” bug, said it exploits “the latest version of Internet Explorer and applications that use the IE kernel,” and added that it's being spread in Microsoft Office documents that include a malicious web page.

If a victim opens the document, the post claims, the malicious code will run in the background to execute the unspecified attack program.

Its only illustration of the attack is in the Chinese-language-annotated image shown here.

Microsoft would far prefer that users stopped using Internet Explorer and adopt its Edge browser instead. Some users are proving stubborn, however. According to Net Market Share, IE still has a rusted-on 12 percent of the browser market.

An unpatchable vulnerability has been found in the Nintendo Switch that can be exploited to run custom code.

An unpatchable vulnerability has been found in the Nintendo Switch that can be exploited to run custom code.

Security researcher Kate Temkin has released proof-of-concept code dubbed “Fusée Gelée” that exploits a bug in Nvidia's Tegra chipsets to run custom code on locked-down devices.

Temkin, who participates in the Nintendo Switch hacking project ReSwitched, has developed a cold-boot hack for the games console that takes advantage of an unpatchable blunder in the Tegra boot ROM.

She's also working on customized Switch firmware called Atmosphère, which can be installed via Fusée Gelée.

Essentially, Fusée Gelée exploits a vulnerability during a Switch's startup to commandeer the gadget and execute unofficial software. This is useful for unlocking the locked-down Nintendo Switch so that home-brew games, custom firmware, and other code can be run.

You'll need physical access to the hardware during power-up to perform Fusée Gelée—it's not something that can be pulled off over the air.

In a blog post outlining her findings earlier this month, Temkin explained: "The relevant vulnerability is the result of a 'coding mistake' in the read-only boot ROM found in most Tegra devices."

Temkin reckoned the issue is present in all Nintendo Switches. The nature of the flaw is such that it will require a hardware revision to fix. The boot ROM, which contains the programming bug, accepts minor patches in the factory but cannot be updated afterwards; according to Temkin. That means once a vulnerable machine rolls off of the assembly line, the vulnerability is baked in and cannot be mitigated.

Temkin said the exploit was responsibly disclosed to and forwarded to other vendors that use Tegra embedded processors, including Nintendo.

Successful exploitation compromises the processor's root-of-trust and provides the attacker with access to secrets burned into device fuses, as well as allowing arbitrary code execution.

While such an exploit could be used for malware that compromises a user's personal data, due to the very nature of the Nintendo Switch (being a gaming console), it's most likely this will be exploited to root the device and create custom bootloaders for sideloading unofficial applications.

Full details of the bug is set to be revealed on June 15, 2018, unless it is made public by others first (a parallel effort to create custom firmware for the Switch using the vulnerability, or one substantially similar, is underway by a group called Team Xecuter).

Do you run Drupal? You need to upgrade immediately!

Do you run Drupal? You need to upgrade immediately as an in-the-wild exploit aims to take over your server.

Attackers are mass-exploiting a recently fixed vulnerability in the Drupal content management system that allows them to take complete control of powerful website servers.

At least three different attack groups are exploiting "Drupalgeddon2," the name given to an extremely critical vulnerability that Drupal maintainers patched in late March.

Drupalgeddon2 makes it easy for anyone on the Internet to take complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. Exploits allow attackers to run code of their choice without having to have an account of any type on a vulnerable website.

The mass exploitation of Drupal servers reminds us of the epidemic of unpatched Windows servers a decade ago, which gave criminal hackers access to millions of PCs. The attackers would then use their widely distributed perches to launch new intrusions. Because web servers have significantly more computing power and Internet bandwidth than a desktop computer, the new rash of servers being compromised by this exploit poses a much greater threat to the Internet.

Drupal maintainers have patched the critical vulnerability in both the 7.x and 8.x version families, as well as the 6.x family, which maintainers stopped supporting in 2016. Administrators who have yet to install the patch should assume their systems are compromised and take immediate action to disinfect them.

License

If you post these videos, please provide credit along with a link back to http://www.category5.tv. Please consider donating to help us offset the high cost of offering free video to you, and the entire world.